The Lync Server 2010 Edge functionality described in this reference architecture is very similar to what was first introduced in Office Communications Server 2007 R2, with the following exceptions:

Port 8080 is used to route traffic from the reverse proxy internal interface to the pool virtual IP (VIP). It is optional and can be used by mobile devices running Lync to locate the Autodiscover Service in situations where modifying the external web service publishing rule certificate is undesirable (for example, if you have a large number of SIP domains).

Port 4443 is used to route traffic from the reverse proxy internal interface to the pool virtual IP (VIP).

Port 4443 is used to route traffic from the pool Front End Servers to the Edge internal interface.

There are several options for the 50,000 – 59,999 port ranges, but the following figure shows the common configuration for interoperability with previous versions of Office Communications Server. For details about the options for configuring this port range, see Determining External A/V Firewall and Port Requirements.

Enterprise perimeter network for scaled consolidated edge

When reading the following tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate. For example, traffic from the Internet to the edge external interface or from the edge internal interface to the next hop pool. (out) refers to traffic going from a more trusted network to a less trusted network, such as corporate-to-perimeter or perimeter-to-Internet). For example, traffic from a corporate pool to the edge internal interface or from the edge external interface to the Internet. And, (in/out) refers to traffic that is going both directions.

Inbound/Outbound edge traffic

We recommend that you only open the ports required to support the functionality for which you are providing external access.

For remote access to work for any edge service, it is mandatory that SIP traffic is allowed to flow bi-directionally as shown in the Inbound/Outbound edge traffic figure. Stated another way, the Access Edge service is involved in instant messaging (IM), presence, web conferencing, and audio/video (A/V).

Firewall Details for Reverse Proxy Server: External Interface

Also required if you are using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify the external web service publishing rule certificate.

Firewall Details for Reverse Proxy Server: Internal Interface

Required if using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify the external web service publishing rule certificate.

Traffic sent to port 80 on the reverse proxy external interface is redirected to a pool on port 8080 from the reverse proxy internal interface so that the pool Web Services can distinguish it from internal web traffic.

HTTPS 4443 (in)

Traffic sent to port 443 on the reverse proxy external interface is redirected to a pool on port 4443 from the reverse proxy internal interface so that the pool web services can distinguish it from internal web traffic

Note:

When reading the previous tables, (in) refers to traffic going from a less trusted network to a more trusted network, such as Internet-to-perimeter or perimeter-to-corporate). For example, traffic from Internet to the reverse proxy external interface or from the reverse proxy internal interface to a Standard Edition pool or a hardware load balancer VIP associated with a Front End pool.

Also required if you are using the Autodiscover Service for mobile devices running Lync in situations where the organization does not want to modify the external web service publishing rule certificate.

(Optional) Required if using the Autodiscover Service for mobile device running Lync in situations where the organization does not want to modify certificate on the external web service publishing rule.